Sitecore: Remove Edit option in a Workflow State

3
votes

I'd like to setup a workflow, where users are unable to Edit an item once it gets in a certain state.

According to the Sitecore Security Admin cookbook, the Workflow State Write Right — controls whether a user can update items which are currently associated with a specific workflow state.

I assumed this would be perfect, however, this right, actually removes all workflow commands from the item also.

Basically, in the "Reviewing" workflow state, the user should only have the option to Submit for Release or Reject. The Reject action, returns the item to the previous Workflow State of "Draft". The Submit for release, changes the workflow state to "Pending Approval", which a publisher must approve. The edit option should not appear or be disabled.

The only issue I have is that, when the item is in "Reviewing", the edit button is still available. When I modify the permission on the "Reviewing" Workflow State to deny either Edit and/or Workflow State Write, author's are unable to see workflow commands on the item, and they get the notice that they do not have edit rights to the item.

At some point, I was able to set the permissions in such a way that I got a notification that said something like, "the workflow state of this item does not allow edit", however I was still able to see and click the edit button. I haven't figured out the correct security setting to get that notice to reappear.

Thanks,

Nona

2
securityworkflowsitecore
How about denying Workflow State Read on the state item?Gabbar
Hi Gabbar, there isn't a Workflow State Read, only delete, write and execute.Nona Drake

2 Answers

0
votes

In reviewing the code for the Workflow Panel that displays the commands for a workflow state, there isn't any logic that validates against the Workflow Write Access.

I was forced to create a new class and add an isAllow check for the Workflow State. https://github.com/NDurham12/Fmcti.SharedSource.Workflow.

I also have requested that Sitecore list this as a bug or feature request.

0
votes

Actually, i have asked Sitecore support about this a while ago, they gave me the following solution:

Items are available for approving in Workflow when the user has 'Read' and 'Write' access rights to the item and 'WorkflowStateWrite' access right to the workflow state. These requirements are specified by design. I'll try to register a wish about allowing to achieve this behavior out of the box.

Now you may workaround this design decisions by using and customizing Workbox.

You can try to use the following solutions:

  1. Allow the 'Write' access right to the item and the 'WorkflowStateWrite' access right to all the Worflow states of a current workflow, and deny the access to the 'Content Editor' (or the 'Page Editor') for the specific user or role.
  2. Deny 'Write' access to the item for the specific user or role and customize the 'GetItems' method of the WorkboxForm class (Sitecore.Shell.Applications.Workbox.WorkboxForm, Sitecore.Client). This will allow the Workbox to retrieve items which the current user does not have write access rights to.

For example:

private DataUri[] GetItems(WorkflowState state, IWorkflow workflow)
{
   ArrayList list = new ArrayList();
   DataUri[] items = workflow.GetItems(state.StateID);
   if (items != null)
   {
      foreach (DataUri uri in items)
      {
         Item item = Context.ContentDatabase.Items[uri];

         if (Sitecore.Context.User == "sitecore\Specific User")
         {
            if (((item != null) && item.Access.CanRead()) &&      (item.Access.CanReadLanguage() && item.Access.CanWriteLanguage()))
            {
               list.Add(uri);
            }
         }
         else
         {
             if ((((item != null) && item.Access.CanRead()) && (item.Access.CanReadLanguage() && item.Access.CanWriteLanguage())) && ((Context.IsAdministrator || item.Locking.CanLock()) || item.Locking.HasLock()))
             {
               list.Add(uri);
             }
         }
       }
    }
return (list.ToArray(typeof(DataUri)) as DataUri[]);
}

Note,that you may also want to hide "Open" item in Workbox or override it's behavior. I can see two ways to achieve this, i'll provide instructions for each approach so you can choose which to use.

  1. Open the WorkboxItem.xml file (website/sitecore/shell/Applications/Workbox/WorkboxItem.xml) and comment out the following line:
<WorkboxCommand Icon="Applications/16x16/document_view.png" Header="Open" Command="$Click"/>

But in this case the 'Open' button will be hidden for all users.

  1. You need customize the logic of the 'Open' method (Sitecore.Shell.Applications.Workbox.WorkboxForm class).

For example:

protected void Open(string id, string language, string version)
{
   string sectionID = RootSections.GetSectionID(id);
   UrlString str2 = new UrlString();
   str2.Append("ro", sectionID);
   str2.Append("fo", id);
   str2.Append("id", id);
   str2.Append("la", language);
   str2.Append("vs", version);

   var application = "/sitecore/content/Applications/Content editor";

    Item item = Client.Site.Database.Items[application];

    if (item == null) SheerResponse.Eval("alert('You do not have access to the Content Editor')");
    else
    Windows.RunApplication("Content editor", str2.ToString());
}

Please take into account that these all code samples are just examples and maybe it is better to give users an ability to edit content - but only some allowed parts.